From: "Ananyev, Konstantin" <konstantin.ananyev@intel.com>
To: 'Akhil Goyal' <akhil.goyal@nxp.com>, "'dev@dpdk.org'" <dev@dpdk.org>
Cc: "'stable@dpdk.org'" <stable@dpdk.org>
Subject: Re: [dpdk-dev] [PATCH] examples/ipsec-secgw: fix SPD no-match is misinterpreted
Date: Thu, 4 Apr 2019 12:16:03 +0000 [thread overview]
Message-ID: <2601191342CEEE43887BDE71AB9772580148A90C68@irsmsx105.ger.corp.intel.com> (raw)
Message-ID: <20190404121603.rUGen3BnPlqIvMmDdq9T6CIgzwTLWIx5u-FREXq_yZU@z> (raw)
In-Reply-To: <2601191342CEEE43887BDE71AB977258013656229A@irsmsx105.ger.corp.intel.com>
Hi Akhil,
> > > > acl_classify() returns zero value when no matching rule was found.
> > > > Currently ipsec-secgw treats it as a valid SPI value, though it has
> > > > to discard such packets.
> > > > Error could be easily observed by sending outbound unmatched packets,
> > > > user will see something like that in the log:
> > > > IPSEC: No cryptodev: core 7, cipher_algo 0, auth_algo 0, aead_algo 0
> > > >
> > > > To fix it we need to treat packets with zero result from acl_classify()
> > > > as invalid ones. Also we can change DISCARD and BYPASS values to
> > > > simplify checks and save some extra space for valid SPI values.
> > > spi value =0 is invalid but zero result may have a valid packet.
> > > consider a case:
> > > SPI = 128 or 256 or 512 and so on => sa_idx = 0 and result will come as
> > > zero, and this would be a valid packet.
> > >
> > > I see that the sa_idx calculation logic is not correct in first place.
> > > There will be multiple spi values for same sa_idx which is not correct.
> > > So we have 2 issues here:
> > > 1. result = 0, means sa_idx =0 which may be correct, but as you said if
> > > acl_classify fails, it also return 0.
> > > 2. SPI values which are IPSEC_SA_MAX_ENTRIES apart will have same sa_idx
> > > and will keep on overwriting the previous ones.
> > >
> >
> > Ok I see what you mean.
> > The easiest fix for that (till we'll have proper SAD) would be not to allow
> > SPIs bigger than IPSEC_SA_MAX_ENTRIES.
> > Are you ok with that?
> > Konstantin
>
> After another thought, it seems that we can easily overcome that problem
> without introducing extra limitations - just need to store 'sa_idx + 1' in acl table.
> Will give it a try with v2.
Actually, after yet another thought - I think there is no need for that.
We can store in ACL full SPI and do SPI2IDX after acl_classify().
Just sent v2, please have a look.
Konstantin
next prev parent reply other threads:[~2019-04-04 12:16 UTC|newest]
Thread overview: 16+ messages / expand[flat|nested] mbox.gz Atom feed top
2019-03-28 12:47 Konstantin Ananyev
2019-03-28 12:47 ` Konstantin Ananyev
2019-03-29 10:53 ` Akhil Goyal
2019-03-29 10:53 ` Akhil Goyal
2019-03-29 18:22 ` Ananyev, Konstantin
2019-03-29 18:22 ` Ananyev, Konstantin
2019-03-30 11:22 ` Ananyev, Konstantin
2019-03-30 11:22 ` Ananyev, Konstantin
2019-04-04 12:16 ` Ananyev, Konstantin [this message]
2019-04-04 12:16 ` Ananyev, Konstantin
2019-04-04 12:13 ` [dpdk-dev] [PATCH v2] " Konstantin Ananyev
2019-04-04 12:13 ` Konstantin Ananyev
2019-04-04 18:39 ` Zhang, Roy Fan
2019-04-04 18:39 ` Zhang, Roy Fan
2019-04-23 12:58 ` Akhil Goyal
2019-04-23 12:58 ` Akhil Goyal
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=2601191342CEEE43887BDE71AB9772580148A90C68@irsmsx105.ger.corp.intel.com \
--to=konstantin.ananyev@intel.com \
--cc=akhil.goyal@nxp.com \
--cc=dev@dpdk.org \
--cc=stable@dpdk.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).